+ * Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public
+ interface. Their functionality remains unchanged.
+
+ *Jordan Montgomery*
+
+ * Deprecated EVP_PKEY_set_alias_type(). This function was previously
+ needed as a workaround to recognise SM2 keys. With OpenSSL 3.0, this key
+ type is internally recognised so the workaround is no longer needed.
+
+ Functionality is still retained as it is, but will only work with
+ EVP_PKEYs with a legacy internal key.
+
+ *Richard Levitte*
+
+ * Deprecated EVP_PKEY_CTX_set_rsa_keygen_pubexp() & introduced
+ EVP_PKEY_CTX_set1_rsa_keygen_pubexp(), which is now preferred.
+
+ *Jeremy Walch*
+
+ * Changed all "STACK" functions to be macros instead of inline functions. Macro
+ parameters are still checked for type safety at compile time via helper
+ inline functions.
+
+ *Matt Caswell*
+
+ * Remove the RAND_DRBG API
+
+ The RAND_DRBG API did not fit well into the new provider concept as
+ implemented by EVP_RAND and EVP_RAND_CTX. The main reason is that the
+ RAND_DRBG API is a mixture of 'front end' and 'back end' API calls
+ and some of its API calls are rather low-level. This holds in particular
+ for the callback mechanism (RAND_DRBG_set_callbacks()).
+
+ Adding a compatibility layer to continue supporting the RAND_DRBG API as
+ a legacy API for a regular deprecation period turned out to come at the
+ price of complicating the new provider API unnecessarily. Since the
+ RAND_DRBG API exists only since version 1.1.1, it was decided by the OMC
+ to drop it entirely.
+
+ *Paul Dale and Matthias St. Pierre*
+
+ * Allow SSL_set1_host() and SSL_add1_host() to take IP literal addresses
+ as well as actual hostnames.
+
+ *David Woodhouse*
+
+ * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
+ ignore TLS protocol version bounds when configuring DTLS-based contexts, and
+ conversely, silently ignore DTLS protocol version bounds when configuring
+ TLS-based contexts. The commands can be repeated to set bounds of both
+ types. The same applies with the corresponding "min_protocol" and
+ "max_protocol" command-line switches, in case some application uses both TLS
+ and DTLS.
+
+ SSL_CTX instances that are created for a fixed protocol version (e.g.
+ TLSv1_server_method()) also silently ignore version bounds. Previously
+ attempts to apply bounds to these protocol versions would result in an
+ error. Now only the "version-flexible" SSL_CTX instances are subject to
+ limits in configuration files in command-line options.
+
+ *Viktor Dukhovni*
+
+ * Deprecated the `ENGINE` API. Engines should be replaced with providers
+ going forward.
+
+ *Paul Dale*
+
+ * Reworked the recorded ERR codes to make better space for system errors.
+ To distinguish them, the macro `ERR_SYSTEM_ERROR()` indicates if the
+ given code is a system error (true) or an OpenSSL error (false).
+
+ *Richard Levitte*
+
+ * Reworked the test perl framework to better allow parallel testing.
+
+ *Nicola Tuveri and David von Oheimb*
+
+ * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and
+ AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported.
+
+ *Shane Lontis*
+
+ * 'Configure' has been changed to figure out the configuration target if
+ none is given on the command line. Consequently, the 'config' script is
+ now only a mere wrapper. All documentation is changed to only mention
+ 'Configure'.
+
+ *Rich Salz and Richard Levitte*
+
+ * Added a library context that applications as well as other
+ libraries can use to form a separate context within which libcrypto
+ operations are performed.
+
+ There are two ways this can be used:
+
+ - Directly, by passing a library context to functions that take
+ such an argument, such as `EVP_CIPHER_fetch` and similar algorithm
+ fetching functions.
+ - Indirectly, by creating a new library context and then assigning
+ it as the new default, with `OPENSSL_CTX_set0_default`.
+
+ All public OpenSSL functions that take an `OPENSSL_CTX` pointer,
+ apart from the functions directly related to `OPENSSL_CTX`, accept
+ NULL to indicate that the default library context should be used.
+
+ Library code that changes the default library context using
+ `OPENSSL_CTX_set0_default` should take care to restore it with a
+ second call before returning to the caller.
+
+ *Richard Levitte*
+